Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 18:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe
-
Size
171KB
-
MD5
ecb5ea358c7ddbbc75cab797619d0361
-
SHA1
8746bbd3160e693526b7062b865c258ee403a7c7
-
SHA256
76bc749e3c7bc69c5f12cc7763a0cbbf9260bf037e1c31d37b2a615341d46c12
-
SHA512
fda865648fdc47d4e9bb650fddf6a7879522f1d9b249a290afbd9b97b5195eb6b2e2d592a2dad2740b6b2fe64a7ed816ee74941e50956c4c8e352bd716b29ffb
-
SSDEEP
3072:KG+OnwL1pgJ8dhApBSLdqZ7CpvPk2mxNQn/womo:ZE1ZhAjVZ7Mvs2YTo
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation igfxwl32.exe -
Deletes itself 1 IoCs
pid Process 1052 igfxwl32.exe -
Executes dropped EXE 32 IoCs
pid Process 4620 igfxwl32.exe 1052 igfxwl32.exe 4224 igfxwl32.exe 2248 igfxwl32.exe 4776 igfxwl32.exe 3964 igfxwl32.exe 2672 igfxwl32.exe 4728 igfxwl32.exe 2660 igfxwl32.exe 4136 igfxwl32.exe 5060 igfxwl32.exe 2608 igfxwl32.exe 4528 igfxwl32.exe 1704 igfxwl32.exe 5108 igfxwl32.exe 3480 igfxwl32.exe 3500 igfxwl32.exe 4792 igfxwl32.exe 4984 igfxwl32.exe 3872 igfxwl32.exe 1344 igfxwl32.exe 4116 igfxwl32.exe 2756 igfxwl32.exe 2848 igfxwl32.exe 3888 igfxwl32.exe 2276 igfxwl32.exe 2884 igfxwl32.exe 3536 igfxwl32.exe 3996 igfxwl32.exe 4876 igfxwl32.exe 2844 igfxwl32.exe 2672 igfxwl32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4272 set thread context of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4620 set thread context of 1052 4620 igfxwl32.exe 89 PID 4224 set thread context of 2248 4224 igfxwl32.exe 93 PID 4776 set thread context of 3964 4776 igfxwl32.exe 97 PID 2672 set thread context of 4728 2672 igfxwl32.exe 99 PID 2660 set thread context of 4136 2660 igfxwl32.exe 101 PID 5060 set thread context of 2608 5060 igfxwl32.exe 103 PID 4528 set thread context of 1704 4528 igfxwl32.exe 105 PID 5108 set thread context of 3480 5108 igfxwl32.exe 107 PID 3500 set thread context of 4792 3500 igfxwl32.exe 109 PID 4984 set thread context of 3872 4984 igfxwl32.exe 111 PID 1344 set thread context of 4116 1344 igfxwl32.exe 113 PID 2756 set thread context of 2848 2756 igfxwl32.exe 115 PID 3888 set thread context of 2276 3888 igfxwl32.exe 117 PID 2884 set thread context of 3536 2884 igfxwl32.exe 119 PID 3996 set thread context of 4876 3996 igfxwl32.exe 121 PID 2844 set thread context of 2672 2844 igfxwl32.exe 123 -
resource yara_rule behavioral2/memory/2904-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2904-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2904-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2904-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2904-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1052-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1052-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1052-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1052-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2248-57-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3964-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4728-70-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4136-77-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2608-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1704-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3480-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4792-105-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3872-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4116-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2848-128-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2276-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3536-144-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4876-152-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 1052 igfxwl32.exe 1052 igfxwl32.exe 1052 igfxwl32.exe 1052 igfxwl32.exe 2248 igfxwl32.exe 2248 igfxwl32.exe 2248 igfxwl32.exe 2248 igfxwl32.exe 3964 igfxwl32.exe 3964 igfxwl32.exe 3964 igfxwl32.exe 3964 igfxwl32.exe 4728 igfxwl32.exe 4728 igfxwl32.exe 4728 igfxwl32.exe 4728 igfxwl32.exe 4136 igfxwl32.exe 4136 igfxwl32.exe 4136 igfxwl32.exe 4136 igfxwl32.exe 2608 igfxwl32.exe 2608 igfxwl32.exe 2608 igfxwl32.exe 2608 igfxwl32.exe 1704 igfxwl32.exe 1704 igfxwl32.exe 1704 igfxwl32.exe 1704 igfxwl32.exe 3480 igfxwl32.exe 3480 igfxwl32.exe 3480 igfxwl32.exe 3480 igfxwl32.exe 4792 igfxwl32.exe 4792 igfxwl32.exe 4792 igfxwl32.exe 4792 igfxwl32.exe 3872 igfxwl32.exe 3872 igfxwl32.exe 3872 igfxwl32.exe 3872 igfxwl32.exe 4116 igfxwl32.exe 4116 igfxwl32.exe 4116 igfxwl32.exe 4116 igfxwl32.exe 2848 igfxwl32.exe 2848 igfxwl32.exe 2848 igfxwl32.exe 2848 igfxwl32.exe 2276 igfxwl32.exe 2276 igfxwl32.exe 2276 igfxwl32.exe 2276 igfxwl32.exe 3536 igfxwl32.exe 3536 igfxwl32.exe 3536 igfxwl32.exe 3536 igfxwl32.exe 4876 igfxwl32.exe 4876 igfxwl32.exe 4876 igfxwl32.exe 4876 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 4272 wrote to memory of 2904 4272 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 82 PID 2904 wrote to memory of 4620 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 83 PID 2904 wrote to memory of 4620 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 83 PID 2904 wrote to memory of 4620 2904 ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe 83 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 4620 wrote to memory of 1052 4620 igfxwl32.exe 89 PID 1052 wrote to memory of 4224 1052 igfxwl32.exe 92 PID 1052 wrote to memory of 4224 1052 igfxwl32.exe 92 PID 1052 wrote to memory of 4224 1052 igfxwl32.exe 92 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 4224 wrote to memory of 2248 4224 igfxwl32.exe 93 PID 2248 wrote to memory of 4776 2248 igfxwl32.exe 94 PID 2248 wrote to memory of 4776 2248 igfxwl32.exe 94 PID 2248 wrote to memory of 4776 2248 igfxwl32.exe 94 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 4776 wrote to memory of 3964 4776 igfxwl32.exe 97 PID 3964 wrote to memory of 2672 3964 igfxwl32.exe 98 PID 3964 wrote to memory of 2672 3964 igfxwl32.exe 98 PID 3964 wrote to memory of 2672 3964 igfxwl32.exe 98 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 2672 wrote to memory of 4728 2672 igfxwl32.exe 99 PID 4728 wrote to memory of 2660 4728 igfxwl32.exe 100 PID 4728 wrote to memory of 2660 4728 igfxwl32.exe 100 PID 4728 wrote to memory of 2660 4728 igfxwl32.exe 100 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 2660 wrote to memory of 4136 2660 igfxwl32.exe 101 PID 4136 wrote to memory of 5060 4136 igfxwl32.exe 102 PID 4136 wrote to memory of 5060 4136 igfxwl32.exe 102 PID 4136 wrote to memory of 5060 4136 igfxwl32.exe 102 PID 5060 wrote to memory of 2608 5060 igfxwl32.exe 103 PID 5060 wrote to memory of 2608 5060 igfxwl32.exe 103 PID 5060 wrote to memory of 2608 5060 igfxwl32.exe 103 PID 5060 wrote to memory of 2608 5060 igfxwl32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecb5ea358c7ddbbc75cab797619d0361_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\ECB5EA~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\ECB5EA~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2608 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3480 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4792 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3872 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4116 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2848 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3536 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe35⤵PID:3748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5807da6c6cfc66ee81c50304f2778d147
SHA135be616204443664138812cb42eb4f6be724db61
SHA256f483c406a7ef58c8f2c982d0b6e57f69033fc6bbda55c1aa85ddcc6a00a87986
SHA51261bedbafdbab2e7c609d036e740dfb70a73855003ba0cd9776409765acf43bd516933b7192c0ed5951ee6880cddb2392767666f23f5d59a45545a7246d7ff493
-
Filesize
171KB
MD5ecb5ea358c7ddbbc75cab797619d0361
SHA18746bbd3160e693526b7062b865c258ee403a7c7
SHA25676bc749e3c7bc69c5f12cc7763a0cbbf9260bf037e1c31d37b2a615341d46c12
SHA512fda865648fdc47d4e9bb650fddf6a7879522f1d9b249a290afbd9b97b5195eb6b2e2d592a2dad2740b6b2fe64a7ed816ee74941e50956c4c8e352bd716b29ffb